About GDPR

The European General Data Protection Regulation (GDPR) introduces new data protection rules. From May 2018, citizens have more control over their data and businesses benefit from a level playing field. Law 101/2000Sb is a thing of the past. However, you must comply with a number of new obligations, such as keeping records of processing.

GDPR brings a whole new set of obligations

Thanks to the EU Data Protection Regulation, new adaptation laws are being created and those related to Law 101/2000 Coll. are being repealed:

Reporting incidents to the DPO

Data Protection Impact Assessment Audit

Appointment of a Data Protection Officer

Any entity whose data you store will have huge rights from 25 May 2018, such as being forgotten. The fines are completely devastating.

How will GDPR templates help with compliance in the area of personal data processing?

You are obliged to submit the GDPR Documentation to the Data Protection Authority (DPA) upon request. Properly documenting that your organization is compliant with the new data protection rules is thus one of the most challenging requirements.

Once you are subject to an inspection from the supervisory authority of the DPO for whatever reason, one of the basic GDPR requirements you will be confronted with is to properly document the personal data processed, its purposes and records of activities.

For example, one of the new but also key obligations is to keep records of processing activities. Document for what purposes, what data you process and under what conditions. You need to have properly set up internal guidelines, employee familiarisation with processing guidelines and a number of other documents.

The General Data Protection Regulation (GDPR) requires a number of organisations to create a Data Protection Officer position and fill it with a qualified person.

The Data Protection Officer can be an internal employee as well as an external expert. In addition, a group of companies or public bodies may appoint one Data Protection Officer to carry out the tasks arising from the GDPR for all of them.

However, the organisation must always ensure that the Data Protection Officer does not have a conflict of interest, i.e. that he/she alone decides on some processing and sets its specific parameters.

Is it your legal obligation to appoint a Data Protection Officer? Or do you fall into the category of those who are "advised" to do so as part of a GDPR compliance program? There will be a number of entities for whom the obligation to appoint a data protection officer arises directly from the legislation, particularly the GDPR, or for whom it is appropriate and beneficial in various ways. Namely:

(1) Public administrations

A public administration or local government body and other public institutions which carry out a public administration or conduct administrative or similar proceedings. The following must appoint the trustees to do:

• Ministries

• Regions, statutory cities, municipalities, schools

• Security forces (Police of the Czech Republic, public prosecutor's office, customs administration)

• Central administrative authority or independent public authority (State Labour Inspection Office, Czech Statistical Office, CNB ...)

• Self-governing chambers (Czech Medical Chamber, Chamber of Auditors, Chamber of Executors or Czech Chamber of Architects ...)

(2) Organisations and companies

Organisations that carry out extensive and regular processing of personal data, including monitoring and profiling of the persons concerned. The failure to create the position of Data Protection Officer, its incorrect organisational assignment or its filling by a person who does not have sufficient knowledge of the law and practice of personal data processing may be considered as a breach of the GDPR under penalty of a fine of up to 10 million or 2% of the worldwide turnover of the business group concerned, whichever is higher.

This broadest category includes companies across sectors:

• Telco operators

• Staffing agencies

• Energy supplier or distributor

• Loyalty scheme operators

• Housing associations, housing stock management

• Banks, Insurance companies, non-bank credit provider

• Provider of cloud-based tools for large-scale data processing

• Operators of CCTV or security systems that capture public spaces

• eShops, online advertising tools that use cookies or other user tracking tools

(3) Healthcare

This category includes all institutions whose activities involve the processing of sensitive personal data (on health, biometric or genetic data, data on racial or ethnic origin, sexual orientation ...) There must be authorised persons of

• Health insurance companies

• Genetic laboratories

• Medium and larger healthcare institutions (clinics, hospitals)

• Operator of biometric identification or authentication systems

(4) Other organisations and institutions

Data protection officers may also be appointed by other organisations that are not directly obliged to do so by law. The creation of a Data Protection Officer and its staffing with a qualified employee in accordance with the requirements of the GDPR can be an important part of a compliance program and thus contribute to demonstrating the compliance of the organization's activities with the legal requirements.

The voluntary appointment of a Data Protection Officer can be a significant positive signal that the organisation is committed to the proper processing of personal data and ensuring its compliance with legal requirements, both for clients and for the organisation's employees or suppliers.

A sufficiently set and enforced compliance program can also be a tool to avoid criminal liability of the legal entity.

In what cases is the appointment of a fiduciary recommended as a positive signal to the Office for Personal Data Protection?

• Wherever there is a greater risk of a data breach

• When processing personal data (clients, employees) on a larger scale

• In a highly regulated environment, e.g. a bank with a focus on corporate clients

• For generally sensitive information (trade secrets, information protected by special confidentiality)

• For a group of smaller companies which are not individually subject to the obligation to appoint a fiduciary, but which in aggregate carry out complex and extensive data processing

Each organisation that appoints a data protection officer is responsible not only for selecting a sufficiently qualified person, but also for allocating resources to the officer to ensure that he or she continues to maintain and develop his or her qualifications.

Requirements for the position of Data Protection Officer

The Data Protection Officer must have at least a basic knowledge of the law and practice in the area of personal data processing. And he or she should also have a basic ability to understand information security, set up and manage processes and conduct audits. It seems like a challenging task, but we prepare you for this position in an internationally certified course that requires no entry prerequisites.

Agenda of the Data Protection Officer

What all falls under the Data Protection Officer's agenda? As a Data Protection Officer, an organisation can impose a number of tasks on you. Participating in staff training, reviewing internal policies and contracts (which relate to the processing of personal data). Keeping records of processing and reporting cases where there has been a data breach to the DPO.

Other agenda:

• Representative for communication with the Data Protection Authority.

• Contact point for all those involved in the processing of personal data

• Monitoring activities in relation to GDPR compliance, cooperation on audits

• Providing internal data processing "advice" to management and employees

Status of the Organisation, the Controller, the Processor and the Data protection officer

However, the appointment of a data protection officer does not end the organisation's obligations to comply with the GDPR, but rather begins them. Among other things, the organisation, whether controller or processor of personal data, must ensure that the Data Protection Officer is involved in a timely and sufficient manner in all processes relating to the processing of personal data and the setting of its parameters, that the Data Protection Officer has sufficient resources to carry out his or her tasks, that the Data Protection Officer is independent in the performance of those tasks and that the Data Protection Officer has access to the organisation's management on data protection matters.